Insecure permissions on profile directory (CVE-2019-18192)

Ludovic Courtès — October 17, 2019

We have become aware of a security issue for Guix on multi-user systems that we have just fixed (CVE-2019-18192). Anyone running Guix on a multi-user system is encouraged to upgrade guix-daemon—see below for instructions.

Context

The default user profile, ~/.guix-profile, points to /var/guix/profiles/per-user/$USER. Until now, /var/guix/profiles/per-user was world-writable, allowing the guix command to create the $USER sub-directory.

On a multi-user system, this allowed a malicious user to create and populate that $USER sub-directory for another user that had not yet logged in. Since /var/…/$USER is in $PATH, the target user could end up running attacker-provided code. See the bug report for more information.

This issue was initially reported by Michael Orlitzky for Nix (CVE-2019-17365).

Fix

The fix consists in letting guix-daemon create these directories on behalf of users and removing the world-writable permissions on per-user.

For cluster setups where clients connect to the daemon over TCP (thanks to the --listen option of guix-daemon), the fix requires guix-daemon to be able to resolve user names so that it can create /var/…/per-user/$USER with the right ownership. Note also that the guix command prior to this fix would not communicate the user name it’s running under to the daemon, thereby preventing it from creating that directory on its behalf.

Upgrading

On multi-user systems, we recommend upgrading the daemon now.

To upgrade the daemon on Guix System, run:

guix pull
sudo guix system reconfigure /etc/config.scm
sudo herd restart guix-daemon

On other distros, run something along these lines:

sudo guix pull
sudo systemctl restart guix-daemon.service

Once you’ve run guix build hello or any other guix command, you should see that /var/guix/profiles/per-user is no longer world-writable:

$ ls -ld /var/guix/profiles/per-user
drwxr-xr-x 5 root root 4096 Jun 23  2017 /var/guix/profiles/per-user

Please report any issues you may have to guix-devel@gnu.org. See the security web page for information on how to report security issues.

About GNU Guix

GNU Guix is a transactional package manager and an advanced distribution of the GNU system that respects user freedom. Guix can be used on top of any system running the kernel Linux, or it can be used as a standalone operating system distribution for i686, x86_64, ARMv7, and AArch64 machines.

In addition to standard package management features, Guix supports transactional upgrades and roll-backs, unprivileged package management, per-user profiles, and garbage collection. When used as a standalone GNU/Linux distribution, Guix offers a declarative, stateless approach to operating system configuration management. Guix is highly customizable and hackable through Guile programming interfaces and extensions to the Scheme language.